Randy Morgan via FreeIPA-users wrote:
We have been working to solve an expired certificate issue in IPA.
There is an open ticket in Red Hat supportCASE 02438518. We have tried
many things but so far have had no luck getting the certs to update.
Currently the system is running RHEL 8.0 and IPA 4.7.1.
pki-server cert-fix -n 'subsystemCert cert-pki-ca' -d
/var/lib/pki/pki-tomcat/alias/ -C /root/passwd -vvv
INFO: Loading instance: pki-tomcat
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading subsystem: ca
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Getting signing cert info for ca from CS.cfg
INFO: Getting signing cert info for ca from NSS database
INFO: Getting ocsp_signing cert info for ca from CS.cfg
INFO: Getting ocsp_signing cert info for ca from NSS database
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
INFO: Getting subsystem cert info for ca from CS.cfg
INFO: Getting subsystem cert info for ca from NSS database
INFO: Getting audit_signing cert info for ca from CS.cfg
INFO: Getting audit_signing cert info for ca from NSS database
INFO: Fixing the following certs: ['ca_ocsp_signing', 'sslserver',
'subsystem', 'ca_audit_signing']
INFO: Stopping the instance to proceed with system cert renewal
INFO: Selftests disabled for subsystems: ca
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
INFO: CSR for sslserver has been written to /tmp/tmpg_738l5a/sslserver.csr
INFO: Getting signing cert info for ca from CS.cfg
INFO: Getting signing cert info for ca from NSS database
INFO: CA cert written to /tmp/tmpg_738l5a/ca_certificate.crt
INFO: AKI: 0x1D0F356A3E7A6968A231723231EB22DA5A01F542
INFO: Temp cert for sslserver is available at /etc/pki/pki-tomcat/certs/sslserver.crt.
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
INFO: Getting sslserver cert info for ca from CS.cfg
INFO: Getting sslserver cert info for ca from NSS database
INFO: Updating CS.cfg with the new certificate
INFO: Getting ocsp_signing cert info for ca from CS.cfg
INFO: Getting ocsp_signing cert info for ca from NSS database
INFO: Trying to setup a secure connection to CA subsystem.
INFO: Secure connection with CA is established.
INFO: Placing cert creation request for serial: 49
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 600,
in urlopen
chunked=chunked)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 343,
in _make_request
self._validate_conn(conn)
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 849,
in _validate_conn
conn.connect()
File "/usr/lib/python3.6/site-packages/urllib3/connection.py", line 356, in
connect
ssl_context=context)
File "/usr/lib/python3.6/site-packages/urllib3/util/ssl_.py", line 350, in
ssl_wrap_socket
context.load_cert_chain(certfile, keyfile)
ssl.SSLError: [X509: KEY_VALUES_MISMATCH] key values mismatch (_ssl.c:3550)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 449, in
send
timeout=timeout
File "/usr/lib/python3.6/site-packages/urllib3/connectionpool.py", line 638,
in urlopen
_stacktrace=sys.exc_info()[2])
File "/usr/lib/python3.6/site-packages/urllib3/util/retry.py", line 398, in
increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='ipa2.chem.byu.edu',
port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal
(Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values
mismatch (_ssl.c:3550)'),))
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 119, in
<module>
cli.execute(sys.argv)
File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 111, in
execute
super(PKIServerCLI, self).execute(args)
File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in
execute
module.execute(module_args)
File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in
execute
module.execute(module_args)
File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 1154, in
execute
renew=True)
File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1709, in
cert_create
PKIServer.renew_certificate(connection, new_cert_file, serial)
File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 202, in
renew_certificate
ret = cert_client.enroll_cert(inputs=inputs, profile_id='caManualRenewal')
File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in
handler
return fn_call(inst, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/pki/cert.py", line 1011, in
enroll_cert
enroll_request = self.create_enrollment_request(profile_id, inputs)
File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in
handler
return fn_call(inst, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/pki/cert.py", line 962, in
create_enrollment_request
enrollment_template = self.get_enrollment_template(profile_id)
File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in
handler
return fn_call(inst, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/pki/cert.py", line 942, in
get_enrollment_template
r = self.connection.get(url, self.headers)
File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper
return func(self, *args, **kwargs)
File "/usr/lib/python3.6/site-packages/pki/client.py", line 160, in get
timeout=timeout,
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 537, in
get
return self.request('GET', url, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 524, in
request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 637, in
send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in
send
raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='ipa2.chem.byu.edu',
port=8443): Max retries exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal
(Caused by SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values
mismatch (_ssl.c:3550)'),))
ERROR: HTTPSConnectionPool(host='ipa2.chem.byu.edu', port=8443): Max retries
exceeded with url: /ca/rest/certrequests/profiles/caManualRenewal (Caused by
SSLError(SSLError(185073780, '[X509: KEY_VALUES_MISMATCH] key values mismatch
(_ssl.c:3550)'),))
[root@ipa2 ~]# echo "--Certificate:" && openssl x509 -noout -modulus
-in
/var/lib/ipa/ra-agent.pem && echo "--Key:" && openssl rsa
-noout
-modulus -in /var/lib/ipa/ra-agent.key
--Certificate:
Modulus=CBA68178847F53CC0D4A45871FEA7CCFD879D6423923DF75E557011E4C458BD5207ACBB4EAFC7A460C050878621E22406E7661105F7D8E7AF448AA1F0988C908F3173B77D87581BE7006ED09F76F0D4D736050088E986133DE851A0FB93A101AA77921CC24063A94E5076FD74D4D81139E7A2AAC61B86D07D424158CE56913ABB08C1CDBDAE35CE2D7BCEB9EF9D5A909FFF502A02E1E847DC44E8672A8889A65A721DC78FE70C24D9E12BB4E88D7AD0A49948E2BF40A22431731872ADFC3B81E368C655EB9B00DC37D04526EE2917445D2FAEBCF116821486FF088E500F12128A8D90309E8ED275CDD48E77BDE0E3358A6A81BD9DD2AD5AC6F68315C96FC50E9
--Key:
Modulus=CBA68178847F53CC0D4A45871FEA7CCFD879D6423923DF75E557011E4C458BD5207ACBB4EAFC7A460C050878621E22406E7661105F7D8E7AF448AA1F0988C908F3173B77D87581BE7006ED09F76F0D4D736050088E986133DE851A0FB93A101AA77921CC24063A94E5076FD74D4D81139E7A2AAC61B86D07D424158CE56913ABB08C1CDBDAE35CE2D7BCEB9EF9D5A909FFF502A02E1E847DC44E8672A8889A65A721DC78FE70C24D9E12BB4E88D7AD0A49948E2BF40A22431731872ADFC3B81E368C655EB9B00DC37D04526EE2917445D2FAEBCF116821486FF088E500F12128A8D90309E8ED275CDD48E77BDE0E3358A6A81BD9DD2AD5AC6F68315C96FC50E9
[root@ipa2 ~]# openssl rsa -noout -modulus -in /var/lib/ipa/ra-agent.key
| openssl md5
(stdin)= 0915781edbe620c5791cda50f310c538
[root@ipa2 ~]# openssl x509 -noout -modulus -in
/var/lib/ipa/ra-agent.pem | openssl md5
(stdin)= 0915781edbe620c5791cda50f310c538
Looking at the cert and the key, they are a match and modulus also
matches. What I can't figure out is why I am seeing this error if the
key and cert match. Is it possible to have a timestamp issue, or is
there some other reason that I can't find. Any help would be greatly
appreciated.
I'm not familiar with this command but based on the options you are
passing you compared the wrong cert. You compared the RA agent cert and
you asked to renew the subsystem cert.
You might want to see what cert owns serial number 49.
rob